Malware Analysis Report

2024-12-08 01:07

Sample ID 231111-mpbg4sdf9v
Target NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe
SHA256 9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019

Threat Level: Known bad

The file NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

RedLine

Detect Mystic stealer payload

Mystic

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:37

Reported

2023-11-11 10:40

Platform

win10v2004-20231023-en

Max time kernel

140s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe
PID 4972 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe
PID 4972 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe
PID 1372 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe
PID 1372 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe
PID 1372 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe
PID 4408 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4408 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4408 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4408 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4408 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4408 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4408 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4408 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4408 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4408 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe
PID 1372 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe
PID 1372 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe
PID 1944 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1944 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1944 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1944 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1944 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1944 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1944 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1944 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe
PID 4972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe
PID 4972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe
PID 1936 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.9806e5cace590529db7af0ae9f95538c7699121acdf403aa8819fcdffcf02019.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4160 -ip 4160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
RU 5.42.92.51:19057 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe

MD5 806f78cfde737e04aea2755bfae7e0b4
SHA1 163f6c88c49fc24db48dcbe5f002353a8c13516e
SHA256 54285d563d7071f134c3eb44bcc6c4c27e14dc346edc7ab12b21ed5c914b540e
SHA512 d071741b2c1fb64db00e2d4bdf3725c5d31145d7e6346c5b4b9918c163775939bbff27779e2621a5063859ab72d2759e862c5c5d77a11c7a2ff0172eacacd72a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DY1ok04.exe

MD5 806f78cfde737e04aea2755bfae7e0b4
SHA1 163f6c88c49fc24db48dcbe5f002353a8c13516e
SHA256 54285d563d7071f134c3eb44bcc6c4c27e14dc346edc7ab12b21ed5c914b540e
SHA512 d071741b2c1fb64db00e2d4bdf3725c5d31145d7e6346c5b4b9918c163775939bbff27779e2621a5063859ab72d2759e862c5c5d77a11c7a2ff0172eacacd72a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe

MD5 a508ebb6759731caba4c17d9e14b2c96
SHA1 13a7635f6b2d55624a6a2c7b819d7dcc9c08c49c
SHA256 dbeb58570cd73fbddb2ec33e7e45bbb3bd9a905900be9e984ab00484b1704ad0
SHA512 fa000924ac9fcffddbc058a87b6a5264a9419177dd99fbd5a58979fe323ecad269a212b91ee15633d134b1f7de4286166db7d454894e7048f3652da86a1b700d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LU72yJ3.exe

MD5 a508ebb6759731caba4c17d9e14b2c96
SHA1 13a7635f6b2d55624a6a2c7b819d7dcc9c08c49c
SHA256 dbeb58570cd73fbddb2ec33e7e45bbb3bd9a905900be9e984ab00484b1704ad0
SHA512 fa000924ac9fcffddbc058a87b6a5264a9419177dd99fbd5a58979fe323ecad269a212b91ee15633d134b1f7de4286166db7d454894e7048f3652da86a1b700d

memory/4160-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe

MD5 ca74e9407792e3b9fe5c064ad7d317c4
SHA1 7bda477d9e1a68c135b0929f51533519ae4613d8
SHA256 0234911d041fdf5283e5507d141bfaf20ad69611b7cfbda43c16d0b854bb214c
SHA512 2499a6e38a6b2350a6e024db615d3e1a00f7c21170d2bb56ec9d7c33316d78650562b04dab6e390242688ffd843dce9fb8dfbff9e7e9ddf58b98e41a8f37ca76

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ha9165.exe

MD5 ca74e9407792e3b9fe5c064ad7d317c4
SHA1 7bda477d9e1a68c135b0929f51533519ae4613d8
SHA256 0234911d041fdf5283e5507d141bfaf20ad69611b7cfbda43c16d0b854bb214c
SHA512 2499a6e38a6b2350a6e024db615d3e1a00f7c21170d2bb56ec9d7c33316d78650562b04dab6e390242688ffd843dce9fb8dfbff9e7e9ddf58b98e41a8f37ca76

memory/4660-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe

MD5 0ed4dbd9834478c5efcc77b024e80f98
SHA1 c438ccb0997ed694a021026fa74117a6e8f96a3c
SHA256 8a6b326ee45afef638aa5d87ee28425ead9a23d759b4b2e44dc242272bc1abe9
SHA512 90282736f40f950036d07a0a9ea84efe5d19e6b43b5afb85c89bd5c38def8d388f47b6cc71f3c1c4e8c9449d6c9b27dadbca7f7f3fe4cb46f5145e5bc6fa30de

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7yV9jG46.exe

MD5 0ed4dbd9834478c5efcc77b024e80f98
SHA1 c438ccb0997ed694a021026fa74117a6e8f96a3c
SHA256 8a6b326ee45afef638aa5d87ee28425ead9a23d759b4b2e44dc242272bc1abe9
SHA512 90282736f40f950036d07a0a9ea84efe5d19e6b43b5afb85c89bd5c38def8d388f47b6cc71f3c1c4e8c9449d6c9b27dadbca7f7f3fe4cb46f5145e5bc6fa30de

memory/4660-28-0x0000000073860000-0x0000000074010000-memory.dmp

memory/4660-29-0x0000000007BB0000-0x0000000008154000-memory.dmp

memory/4660-30-0x00000000076E0000-0x0000000007772000-memory.dmp

memory/4660-33-0x00000000076A0000-0x00000000076B0000-memory.dmp

memory/4660-34-0x0000000007890000-0x000000000789A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4660-39-0x0000000008780000-0x0000000008D98000-memory.dmp

memory/4660-40-0x0000000007A40000-0x0000000007B4A000-memory.dmp

memory/4660-41-0x0000000007970000-0x0000000007982000-memory.dmp

memory/4660-42-0x00000000079D0000-0x0000000007A0C000-memory.dmp

memory/4660-43-0x0000000007B50000-0x0000000007B9C000-memory.dmp

memory/4660-44-0x0000000073860000-0x0000000074010000-memory.dmp

memory/4660-45-0x00000000076A0000-0x00000000076B0000-memory.dmp